white paper






  • Shelters or Windmills: The Struggle For Power and Information Advantage

    We are in the middle of a power shift in society that is at least as large as that of the printing press. Information advantage has always been the same as power: when the ruling elite has historically lost the information advantage, they have also lost power. Therefore, that advantage has always been defended, often with violence: militarization of information technology goes back to the Roman civilization. By learning from history, we get blueprints of the successful battle plans, as well as an understanding of where we are in this particular cycle of history.

    Presented By:
    Rick Falkvinge


  • A Perfect CRIME? Only TIME Will Tell

    On 2012, security researchers shook the world of security with their CRIME attack against the SSL encryption protocol. CRIME (Compression Ratio Info-leak Made Easy) attack used an inherent information leakage vulnerability resulting from the HTTP compression usage to defeat SSL’s encryption.

    However, the CRIME attack had two major practical drawbacks. The first is the attack threat model: CRIME attacker is required to control the plaintext AND to be able to intercept the encrypted message. This attack model limits the attack to mostly MITM (Man In The Middle) situation.

    The second issue is the CRIME attack was solely aimed at HTTP requests. However, most of the current web does not compress HTTP requests. The few protocols that did support HTTP requests compression (SSL compression and SPDY) had dropped their support following the attack details disclosure, by thus rendering the CRIME attack irrelevant.

    In our work we address these two limitations by introducing the TIME (Timing Info-leak Made Easy) attack for HTTP responses.

    By using timing information differential analysis to infer on the compressed payload’s size, the CRIME attack’s attack model can be simplified and its requirements can be loosened. In TIME’s attack model the attacker only needs to control the plaintext, theoretically allowing any malicious site to launch a TIME attack against its innocent visitors, to break SSL encryption and/or Same Origin Policy (SOP).

    Changing the target of the attack from HTTP requests to HTTP responses significantly increases the attack surface, as most of the current web utilizes HTTP response compression to save bandwidth and latency.

    In particular, we:

    • Introduce the TIME attack
    • Show an actual POC of timing differential analysis to infer on the compressed payload’s size and subsequently the cipher-text’s underlying plaintext
    • Show the relevancy of compression ratio information leakage for HTTP responses
    • Suggest mitigation steps against the TIME attack

    Presented By:
    Tal Be'ery
    Amichai Shulman

  • Advanced Heap Manipulation in Windows 8

    With the introduction of Windows 8, previously public known heap/kernel pool overflow exploitation techniques are dead because of exploit mitigation improvements. There are indications that compromising application specific data, which are facilitated by heap manipulation, are getting more popular for future exploitation.

    How to deterministically predict the heap state in great possible level?

    Tradition manipulation technique (both kernel pool and user heap) is to consistently defragment the heap which makes future allocations adjacent afterwards, and then make holes in these allocations to let the vulnerable buffer, which with similar size, fall into one of them.

    In the user heap a new LFH allocator was introduced, the randomized alloc/free and guard pages made this technique tough to work.

    Beyond that, the traditional technique has some limitations such as the size of the vulnerable buffer and the type of data structure that could be chosen as attacking target (especially in kernel pool), which together make it cannot be considered as a generic solution any more.

    This talk is aimed to provide an advanced method on precisely manipulating heap layout (kernel pool and user heap) by standing on the giant’s shoulder: “Heap Feng Shui”. Arbitrary sized vulnerable buffer could be covered with our more generic method which paves the way toward further interesting discoveries for security researchers. A reliable demo will be explained at the end of this section.

    By setting up the heap in a controlled state, some specific vulnerability scenarios could be exploited easily and reliably.

    In the following practical sections, this talk will then divided into two parts:

    1: Kernel pool:
    I will show how to plant a desired kernel object into a fixed known address, and then demo exploit against write-what-where vulnerability scenarios.

    Furthermore, some attacks which need the sufficient control of the kernel pool and precise size information (eg: “block size attack” brought by Tarjei in his BH USA 2012 talk) may utilize this research.

    I will also show how carefully crafted kernel pool layout combined with application data corruption could lead to reliable exploit in kernel pool overflow scenarios.

    2: User heap:
    I will discuss the possibility of heap determinism in Windows 8 user heap, and use demo to prove that: reliable heap exploitation is still achievable in some circumstance with proper heap layout crafting.

    Presented By:
    Zhenhua 'Eric' Liu

  • Building a Defensive Framework for Medical Device Security

    In the past 18 months we have seen a dramatic increase in research and presentations on the security of medical devices. While this has been exciting and brought much needed attention to the issue, little has been done to help with the defense of these devices. There is a great deal of confusion on this topic due to the broad term “Medical Device”. In this presentation, we will clarify the issue, divide it into three separate categories with their own unique problems, and dispel the FUD around medical devices. Additionally, the recent GAO report published by the US Congress will prompt action by various regulatory bodies on the issue of security. These agencies are not designed to evaluate the security of embedded computers, and without guidance, will cause more problems than they will solve. This presentation will provide realistic recommendations on what can be done by regulatory agencies to bolster the defense of medical devices and highlight specific focus areas the community should be targeting with future research. This presentation will focus on what can be done by regulatory agencies to bolster the defense of medical devices as well as what the community should focus on going forward in research.

    Presented By:
    Jay Radcliffe

  • The Deputies Are Still Confused

    The same origin policy is something most technical people think they understand, but it’s full of caveats and pitfalls. This talk will explore some of these misunderstandings with practical examples of attacks that happen somewhere between the browser tabs. We’ll look at new scenarios where it's possible to bypass some of the most common content-isolation mechanisms usually recommended (even by top notch people/organizations) to protect against CSRF, clickjacking, and NTLM attacks. The gist is, completely mitigating these things can be very difficult to get right.

    Presented By:
    Rich Lundeen

  • DropSmack: How Cloud Synchronization Services Render Your Corporate Firewall Worthless

    Cloud backup solutions, such as Dropbox, provide a convenient way for users to synchronize files between user devices. These services are particularly attractive to users, who always want the most current version of critical files in each location. Many of these applications “install” into the user’s profile directory and the synchronization processes are placed in the user’s registry hive (HKCU). Users without administrative privileges can use these applications without so much as popping a UAC dialog. This freedom makes illicit installations of these applications all the more likely.

    Cloud backup providers are marketing directly to corporate executives offering services that will “increase employee productivity” or “provide virtual teaming opportunities.” Offers such as these make it more likely than ever that any given corporate environment has some cloud backup solutions installed.

    Some theoretical research papers have previously identified the possible risk that cloud backup solutions may pose for data exfiltration. These applications pose serious risks for Data Loss Prevention (DLP) applications since normal channels monitored by DLP are bypassed. It is far more difficult for DLP to detect files written to the user profile than files being attached in the browser to a web based email or files being moved to a removable drive.

    The contributions of this presentation are threefold. First, we show how cloud based synchronization solutions in general, and Dropbox in particular, can be used as a vector for delivering malware to an internal network. We do this by examining a case study from a penetration test. Second, we show how specially developed malware can use the synchronization service as a Command and Control (C2) channel. Given an active C2 channel via Dropbox, an attacker can determine how to establish a more traditional C2 channel out of a network on the compromised host. Finally, we demonstrate functioning malware that uses Dropbox to exfiltrate data en-masse from the network. While the idea of using cloud synchronization technologies for data exfiltration is not new, we are not aware of any functioning tools designed to exfiltrate data from a network via Dropbox.

    In our experience, people tend to take potential vulnerabilities more seriously after proof of concept code is publicly available. By releasing this tool, we hope to stir up some real conversation about whether synchronization software is appropriate for all corporate environments (and if so, under what controls).

    Presented By:
    Jacob Williams

  • Dude, Where’s My Laptop?

    On a daily basis we carry laptops, tables, smartphones and all kind of gadgets containing personal and corporate information, and thousands of those devices get lost or stolen. According to the FBI, losses due to laptop theft rise more than $3.5 million in 2005 and in 2011 the NSW Bureau of Crime Statistics and Research reported that thefts of laptops have been on the increase over the last 10 years costing millions in losses every year.

    Dozens of security solutions from well-known antivirus houses, hardware vendors, ISV and single developers have popped up over the years to secure all desktops and smartphones platforms claiming to protect our information and even help to recover our devices, but are those claims true?

    These solutions cover all major desktops platforms such as Windows, Linux and MacOS, but also plenty of options for Android, iOS and Windows Phones as well. Solutions features vary but most offer remote wiping, GPS tracking, data encryption, SMS activation, sound alarms, camera activation and policy report generation among others.

    In this presentation we will present the results of statically and dynamically analyzing dozens of these so-called security solutions and their claims. How easily can a burglar defeat these products? Come and see!

  • Floating Car Data from Smartphones: What Google and Waze Know About You and How Hackers Can Control Traffic

    In recent years, a trend of using real-time traffic data for navigation has developed. Google Navigation and Waze, for instance, generate traffic data from movement profiles of smartphones. In this paper we tackle the question to which extent it is possible for Google and Waze to track the smartphone and its owner. Furthermore, we show how wireless access points and smartphones acting like wireless access points can be located around the world. In addition to the privacy issue, we examine whether the authenticity of traffic data can be guaranteed. We demonstrate in practice how hackers can take control of navigation systems and, in the case of a wide distribution of floating car data, can actively control the traffic flow. At the end we present a practical protocol preventing such attacks and at the same time preserving the user's privacy. The protocol has been implemented on different hardware platforms and benchmark results are given.

    Presented By:
    Tobias Jeske

  • Hacking Appliances: Ironic exploitation of security products

    I have discovered and provided over 100 proof-of-concept exploits to various vendors over the past 12 months, and most of these have related to security appliances.

    This presentation discusses common vulnerabilities found across various appliances, and some interesting attack vectors where external attackers can exploit vulnerabilities in appliances to gain control over gateways, firewalls, email and web-filters, VPN solutions and access the internal network.

    Presented By:
    Ben Williams

  • Hacking Video Conferencing Systems

    High-end videoconferencing systems are widely deployed at critical locations such as corporate meeting rooms or boardrooms. Many of these systems are reachable from the Internet or via the telephone network while in many cases the security considerations are limited to the secure deployment and configuration.

    We conducted a case study on Polycom HDX devices in order to assess the current state of security on those devices. After analyzing the software update file format and showing how to get system level access to the otherwise closed devices we describe how to setup a proper vulnerability development environment which lays the groundwork for future security research.

    We demonstrate the feasibility of remotely compromising Polycom HDX devices over the network by implementing an exploit for one of the vulnerabilities we identified in the H.323 stack of the current software version which allows us to compromise even firewalled devices as long as the H.323 port is reachable. Our attack does not require the auto-answer feature for incoming calls to be turned on.

    We conclude with some thoughts about post-exploitation and describe possible ways to control attached peripherals such as the video camera and microphone which could be used to build a surveillance rootkit.

    Presented By:
    Moritz Jodeit

  • Hardening Windows 8 apps for the Windows Store

    Security and privacy in mobile development has been a topic in the iOS and Android world for a few years now. Microsoft is entering the fray with be their first significant push into the mobile space. Will your apps be the next ones on the front page of Ars Technica (for the wrong reasons)? Bill would like to help you make sure that won’t happen. Learn the security considerations of HTML5, backend services, cloud computing and WinRT.

    Presented By:
    Bill Sempf

  • Harnessing GP²Us - Building Better Browser Based Botnets

    It is commonly assumed that most technology based on strong computations such as encryption keys cannot be broken. And generally, even GPUs or relatively small to medium size GPGPU clusters are not sufficient. People usually feel safe using a relatively strong password to generate keys in order to secure sensitive data on a mobile device or desktop computer. In the same way, companies generally feel safe encrypting data or signing emails with keys that are supposed to resist common attackers, or some times storing password hashes with multiple rounds in the best cases. What methods can attackers use to break them? Botnets or expensive GPU clusters. For the botnet option, the problem is that creating a good rootkit is very expensive if willing to exploit recent computers (those with the better GPUs, generally), and must target a specific and recent OS. What about a botnet in a browser that could efficiently use GPUs? It's cheap, doesn't require too much knowledge to create, and could work on mobile, Windows, Mac, tablets and even game consoles! Also, GPUs evolve so much faster than CPUs (and newer CPUs now even integrate on chip graphics), and with the number of web-enabled computing devices greatly increasing; it is not so far-fetched to think that such botnets might be breaking higher-entropy keys within a few years.

    The technology is already here, and is already partially implemented in most applications and browsers. Using XSS and HTML5, a permanent XSS would be injected client-side through cache poisoning at several layers. Cross frame scripting and other techniques can also be used, and communication to the server would be handled by HTML5 functions bypassing the same origin policy. Thousands of web zombies can be controlled and used. Using a machine's GPU is a little bit trickier. WebGL, NaCL and even Flash can use OpenGL ES, which would allow using the GPU to compute complex operations and is currently implemented in most of the latest web browsers on various platforms. The current version of OpenGL ES is not ideal for General Computing (but it is getting better), however the company that created this standard also created WebCL, which allows tapping into parallel computing resources of GPUs and is much faster than any other browser-based technology. Is this going to be the final piece of the puzzle for high-speed browser-based botnets?

    I will consider botnet impact, cost, stealth requirements and portability, and sketch out the optimal botnet architecture. Performance metrics will be presented for the chosen architecture. Lastly, I will discuss what attackers would be able to do now and in the future, and what they could break.

    Presented By:
    Marc Blanchou

  • Honeypot That Can Bite: Reverse Penetration

    This talk will be considered by the concept of aggressive honeypot. The main concept is that “defense can be aggressive” and how this might work. We will also profit by:

    • De-Anonymizing attackers.
    • Filter and find non-bot attacks.
    • Determine the attacker’s technical skill level.
    • Get control of the attacker

    Also, we will try to answer these questions:

    • Who can use these techniques?
    • Why are they useful?
    • How effective it can be?

    And of course we will take a look into real experiment, real samples of attacks, and results from the realization of this idea. We will also cover more interesting things such as which vulnerabilities we can be used- just client-side, or something in 3rd party services? What about social engineering? (All of these can be used, and I'll show how it can be done with real examples!)

    Presented By:
    Alexey Sintsov

  • Huawei - From China with Love

    3G/4G networks are getting popular more and more these days. Most of users nowadays have USB 3G/4G modems – they’re small, easy-to-use and pretty cheap. That’s why we started this research. The main idea of it – find an opportunity to infect as much as possible.

    As a result of this research we can say that software that manages the USB device is full of vulnerabilities (from Remote Code Execution to Local Privilege Execution) So, full pwnage of a box. The main goal of modem infection can become constructing world-wide botnet: from infecting one Website - to pwnage of all users of Huawei USB modems.

  • Hybrid Defense: How to Protect Yourself From Polymorphic 0-days

    In this presentation we propose an approach and hybrid shellcode detection method, aimed at early detection and filtering of unknown 0-day exploits at the network level. The proposed approach allows us to summarize capabilities of shellcode detection algorithms developed over the last ten years into an optimal classifier. The proposed approach allows us to reduce total false-positive rate to almost zero, provides full coverage of shellcode classes detected by individual classifiers, and significantly increases total throughput of detectors. Evaluation with shellcode datasets, including Metaspoit Framework 4.3 plain-text, encrypted and obfuscated shellcodes, benign Win32 and Linux ELF executables, random data and multimedia shows that hybrid data-flow classifier significantly boosts analysis throughput for benign data - up to 45 times faster than linear combination of classifiers, and almost 1.5 times faster for shellcode only datasets. We also give a tool demonstration.

  • Invisibility Purge – Unmasking the Dormant Events of Invisible Web Controls – Advanced Hacking Methods for Asp.Net, Mono and RIA

    Server Web Controls are common components in modern platforms that speed up development and enable content reuse.

    Since events of server controls implement additional application features, they might be protected via privilege validation, comments or properties that disable or render them invisible.

    However, since Invisibility, by definition, is in the eyes of the beholder, an invisible object can still be visible to instruments designed to locate it.

    By abusing the event activation mechanism of server controls, it's possible to enumerate and execute dormant events, in-spite of most security measures - all using a refined methodology and a new designated tool.

    Presented By:
    Shay Chen

  • Let's Play - Applanting

    Your mobile is your identity; you are not only connected to friends and family, but you are also connected to your banks, social networks, and various service providers.

    The cyber world is plagued with thousands of security issues today. Ever increasing vectors of Spams, XSS, and injection attacks are making the security issues complex. This leads mobile platforms to add more complexity to this.

    With the world quickly adopting speedy and convenient way of computing offered by mobiles, security is always traded for convenience.

    There are many talks about making and sneaking malicious apps into an app store, and then targeting the victims for fun and profit; but before attacker comes to the fun and profit part, the most difficult hurdle is to install a rouge app on the victims Mobile.

    In this talk I will be introducing a new attack methodology – APPLANTING, which the attacker can install an app on the victim’s Android device, without the victims knowledge.

    APPLANTING attack combines CSRF & click jacking to transparently install an app on victims’ Android device & successfully become man in the mobile to carry out further damage.

    Presented By:
    Ajit Hatti

  • The M2M Risk Assessment Guide, a Cyber Fast Track Project

    In 2012, Capitol Hill Consultants LLC (CHC) was awarded a Cyber Fast Track (CFT) project focused on an overall analysis of the Machine 2 Machine (M2M) landscape. M2M, a new movement in technology which incorporates the cellular/wireless augmentation of legacy engineering applications such as automobiles, medical devices, and SCADA, bridges our physical lives with digital systems. After an initial analysis of over two-hundred M2M-centric companies world wide, the team isolated a group of approximately eighty (80) organizations whose business plan directly involved M2M solutions. The CHC team spent the next few months analyzing products and services from those organizations, categorizing the tools and technologies used in the development and deployment of M2M solutions. The result is the M2M Risk Assessment Guide, a fully encompassing play book for M2M security to be released for the first time at Black Hat Amsterdam 2013. The Guide provides both engineers and analysts with a strategy for auditing existing products and securely designing new prototypes. It provides high level insight into the six (6) primary M2M industries while delving deep into the low level components used to effect solutions in each industry. The presenter will provide a walk through of how the Guide can be used by a consulting team or an internal security team, and how it can be easily augmented as M2M evolves.

    Presented By:
    Don A. Bailey

  • Mesh Stalkings-Penetration Testing with Small Networked Devices

    This talk will show attendees how they can do penetration testing with a network of small, battery-powered, penetration testing systems. The small devices discussed will be running a version of The Deck, a full-featured penetration testing and forensics Linux distro. The Deck runs on the BeagleBoard-xM, BeagleBone, and similar ARM-based systems. These devices are easily hidden and can run for days to weeks off of battery power thanks to their low power consumption. While each device running The Deck is a full-featured penetration-testing platform, connecting systems together via a mesh network allows even more power and flexibility. A complete setup consisting of a portable command station with 7-inch touchscreen, and several nodes with Wi-Fi adapters all connected with ZigBee networking can easily be constructed for fewer than 1,000 Euros. This entire setup can easily fit inside two child's lunch boxes.

    Presented By:
    Phil Polstra

  • Multiplayer Online Games Insecurity

    Multiplayer online games security are an underestimated field, with an insane amount of players playing online games and companies pushing out new games at an incredible rate. In this ecosystem finding vulnerabilities in games turns to be a really attractive work. This talk details the current status of games security, describing game-specific issues and how to find vulnerabilities in games. Moreover this talk covers in detail the Steam Browser Protocol security and will discuss a new 0-day vulnerability affecting a well-known multiplayer game.

  • Next Generation Mobile Rootkits

    Modern smartphones have a lot of secret data on them: Personal & company data, certificates for mail and credit-card data for NFC wallets. Due to this, building rootkits for them gets more and more interesting. In this talk we will use a hardware (security) feature of last generation ARM processors to write and hide rootkits in a way that they're practically invisible to the operating system.

    Besides looking at the theoretical attack vector I will also talk about the lessons I learned while writing and hiding an actual rootkit using this method.

    Presented By:
    Thomas Roth

  • Off Grid communications with Android - Meshing the mobile world

    Before they were a team, the members of project SPAN thought it was highly limiting to only be able to network smart phones over standard Wi-Fi or with a Cellular infrastructure. Honestly, the SPAN team isn't a big fan of infrastructure-based networks in general. They wanted a headless, dynamic network that allowed for resilient communications when the other infrastructure either wasn't available or when they just didn't feel like using it. They also really liked the idea of a communication system where there was no central router, server or other central point of sniffing of data. With this in mind, they teamed up and created project SPAN (Smart Phone AdHoc Networks). They decided to open source the project and to share not only the code but also the whole process and idea with the community at large. The team is annoyed that the current generation smart phone radios have the intrinsic ability to communicate directly with one another, but hardware vendors and mobile OS frameworks don’t make it easy to do so.

    Join the SPAN team for a deep dive into the Android network stack implementation and its limitations, an analysis of the Wi-Fi chipsets in the current generation of smart phones and a collection of lessons learned when writing your own network routing protocol. The team will also share a ""How To"" walkthrough into implementing your own Mesh network and incorporating general ""Off Grid"" concepts into your next project; this will include securing your mesh from outside parties while tunneling and bridging through the internet. The team will delve into specific Android limitations of Ad-Hoc networking and provide workarounds and bypass mechanisms. Lastly, we will expound on reverse engineering cell phone WiFi chipsets and how to make hardware do interesting things without a datasheet

    Presented By:
    Josh Thomas
    Jeff Robble

  • OptiSig: Semantic Signature for Metamorphic Malware

    String pattern matching is the most widely used method for anti-virus software to detect malware. However, this technique proves to be ineffective against metamorphism, which use a lot of transformation technique to evade pattern-based signature.

    This research attempts to solve the essential part of the problem by introducing semantic signature for metamorphic malware. Unlike traditional signature, semantic signature is able to detect metamorphic code even if they have gone through multiple transformations. Our talk starts with the overview of popular mutation techniques used by metamorphism, then defines the semantic signature, and explains how to create and match them against the suspected code. Some cool demos will help the audience to understand the challenges, advantages and drawback of this solution.

    We have implemented a toolset named OptiSig to realize our idea. OptiSig is able to produce the semantic signature for the metamorphic code, evaluate a sequence of machine code against the generated signature, then gives out the verdict of the equivalence (or not) of the code against the signature. OptiSig supports both 32-bit and 64-bit Intel platforms.

    Presented By:
    Nguyen Anh Quynh

  • Practical Attacks Against MDM Solutions

    Spyphones are surveillance tools surreptitiously planted on a user’s handheld device. While malicious mobile applications, mainly phone fraud applications distributed through common application channels, target the typical consumer, spyphones are nation states tool of attacks. Why? Once installed, the software stealthy gathers information such as text messages (SMS), geo-location information, emails and even surround-recordings.

    How are these mobile cyber-espionage attacks carried out? In this engaging session, we present novel proof-of-concept attack techniques - both on Android and iOS devices - which bypass traditional mobile malware detection measures- and even circumvent common Mobile Device Management (MDM) features, such as encryption.

  • Power Analysis Attacks for Cheapskates

    Power analysis attacks present a devious method of cracking cryptographic systems. But looking at papers published in this field show that often the equipment used is fairly expensive: the typical oscilloscope used often have at least a 1 GSPS sampling rate, and then various probes and amplifiers also add to this cost. What is a poor researcher to do without such tools? This presentation will give a detailed description of how to setup a power analysis lab for a few hundred dollars, one that provides sufficient performance to attack real devices. It's based on some open-source hardware & software I developed, and is small enough to fit in your pocket. This will be demonstrated live against a microcontroller implementing AES, with details provided so attendees can duplicate the demonstration. This includes an open-hardware design for the capture board & open-source Python tools for doing the capture. Underlying theory behind side-channel attacks will be presented, giving attendees a complete picture of how such attacks work

    Presented By:
    Colin O'Flynn

  • Practical Exploitation Using A Malicious Service Set Identifier (SSID)

    How easily we overlook a simple wireless SSID, and think nothing of it or its potential risk to us. In this presentation I will be discussing the leveraging of SSIDs to inject various attacks into Wireless devices, and management consoles. The type of injection attacks discussed will include XSS, CSRF, command injection and format strings attacks. I will be discussing various malicious SSID restrictions, limitations, and potential attack success dependencies. Using live demonstrations I will show how each of these attack methods are carried out. In conclusion I will be discussing how common this attack vector potentially is, and its overall risk factors.

    Presented By:
    Deral Heiland

  • The Sandbox Roulette - Are You Ready For The Gamble?

    What comes inside an application sandbox always stays inside the sandbox. Is it REALLY so? This talk is focused on the exploit vectors to evade commercially available sandboxes Las Vegas-style: We'll spin a "Sandbox Roulette" with various vulnerabilities on the Windows Operating System and then show how various application sandboxes hold up to each exploit. Each exploit will be described in detail and how it affected the sandbox.

    There is a growing trend in enterprise security practices to decrease the attack surface of vulnerable endpoints through the use of application sandboxing. Many different sandbox environments have been introduced by vendors in the security industry, including OS vendors, and even application vendors. Lack of sandboxing standards has led to the introduction of a range of solutions without consistent capabilities or compatibility and with their own inherent limitations. Moreover some application sandboxes are used by malware analysts to analyze malware and this could impose risks if the sandbox was breached.

    This talk will present an in-depth, security focused, technical analysis of the application sandboxing technologies available today. It will provide a comparison framework for different vendor technologies that is consistent, measurable, and understandable by both IT administrators and security specialists. In addition we will explore each of the major commercially available sandbox flavors, and evaluate their ability to protect enterprise data and the enterprise infrastructure as a whole. We will provide an architectural decomposition of sandboxing to highlight its advantages and limitations, and will interweave the discussion with examples of exploit vectors that are likely to be used by sophisticated malware to actively target sandboxes in the future.

  • To dock or not to dock, that is the question: Using laptop docking stations as hardware-based attack platforms

    Laptop docking stations are widely used in the corporate world, often in hot-desking environments. They provide a neat connectivity solution for workers who are semi-mobile and therefore use laptops rather than desktop PCs. However, laptop docks are an attractive target for an attacker. They have access to the network, to all the ports on a laptop (and often some that aren't) and they are permanently connected to a power supply. But most importantly, they are considered to be trusted, "dumb" devices - they just connect all the ports on your laptop to the ports in the dock right? The IT department is more concerned about someone stealing your laptop, so they'll ask you to secure your laptop with a Kensington lock (but not necessarily to secure the dock). This talk is about how attackers can exploit the privileged position that laptop docking stations have within the corporate environment. It will also describe the construction (and show a demo) of a remotely controllable, covert hardware implant within a commonly used laptop docking station, but most importantly it will discuss some of the techniques that can be employed to detect such devices and mitigate the risks that they pose.

    Presented By:
    Andy Davis

  • Using D-Space to Open Doors

    You start every workday with a beep that opens the door to your office building - but how do those proximity card access systems really work? And more importantly - how cool would it be to hack them!? From the card to the back end database, proximity card access systems contain a variety of components, all which, are vulnerable to attack but have been rarely targeted. This demo-driven presentation explores and attacks each of the various components (RFID tags, controllers, and backend systems) of a popular deployment.

    Presented By:
    Brad Antoniewicz

  • XML Out-of-Band Data Retrieval

    This talk covers a brand new technique for out-of-band data retrieval. It allows us to access files and resources from victim’s machine and internal network, even when normal output is possible from the vulnerable application that handles XML data.

  • Who's Really Attacking Your ICS Devices?

    ICS/SCADA systems have been the talk of the security community for the last two years due to Stuxnet, Flame, and several other threats and attacks. While the importance and lack of security around ICS systems is well documented and widely known, this talk illustrates Internet facing SCADA/ICS systems, who’s really attacking them, and why.

    This talk will also cover the robust honeynet developed for research purposes on whom, is attacking ICS systems. Throughout the course of several months, I have created a honeynet/honeypot architecture that directly mimics ICS/SCADA devices and had them Internet facing. The results of attacks were quite astounding, and will be covered in my talk as well.

    In addition, this talk also covers security techniques for securing ICS/SCADA systems and some best practices for doing so.

    Presented By:
    Kyle Wilhoit


  • Advanced iOS Application Pentesting

    This workshop will equip you with the bleeding edge techniques to analyze and systematically audit iOS applications. In course of the class, we will decrypt and disassemble applications, correlate class information with runtime data structures, monitor APIs and network communication, subvert security mechanisms, test data security in the file system and keychain, learn about Anti-Piracy techniques and how to beat them … and a ton of other things!

    The workshop is fully practical and will be taught using custom insecure applications and real world applications. At the end, we will have a CTF with 3 additional challenge applications.

    Presented By:
    Vivek Ramachandran

  • Application Development Secure Coding Workshop

    The root cause of web insecurity includes poor software development practices. This workshop provides essential application security training for software developers and architects. A broad array of secure coding topics will be covered with multiple demonstrations. Participants will learn the most common threats against web applications, web services and mobile applications. More importantly, attendees will learn how to prevent and fix these threats using production quality, high performance application security controls.

    Presented By:
    Jim Manico

  • Assessing BYOD with the Smartphone Pentest Framework

    When many people hear Smartphone Pentest Framework they think that this tool lets you run attack tools from a smartphone. Instead this tool lets you assess the security posture of smartphone devices. As smartphones enter the workplace, sharing the network and accessing sensitive data, it is crucial to be able to assess the security posture of these devices in much the same way we perform penetration tests on workstations and servers. However, smartphones have unique attack vectors that are not currently covered by available industry tools.

    The smartphone penetration testing framework, the result of a DARPA Cyber Fast Track project, aims to provide an open source toolkit that addresses the many facets of assessing the security posture of these devices. In this workshop, attendees will get a hands-on introduction to using SPF. We will look at the functionality of the framework including information gathering, exploitation, social engineering, and post exploitation through both a traditional IP network and through the mobile modem, showing how security teams can leverage this framework, and penetration testers to gain an understanding of the security posture of the smartphones in an organization.

    We will also show how to use the framework through a command line console, a graphical user interface, and a smartphone based app. Attendees will gain hands-on experience assessing multiple smartphone platforms.

    Presented By:
    Georgia Weidman

  • PowerShell for Penetration Testers

    From a long time, we as hackers and penetration testers have been using “third party” stuff for post exploitation. You 0wn a box and then you start looking for option which may not be detected by Anti Virus, which could be easily used and have minimum footprint. What if you can use features of the Operating System itself for your purpose? What if there is a shell already available on the target which is one of the most powerful shells around? It would be a pen tester’s delight, it is PowerShell.

    PowerShell is a shell and scripting language. It practically opens up a Windows OS and network in front of you. If you know how to use PowerShell for your purpose, you may never need anything else for your post exploitation needs. This workshop will teach you offensive security usage of PowerShell. You will see how powershell could be used for backdoors, keyloggers, dumping password hashes, getting credentials in plain and much more. This workshop will change how you do your penetration testing for ever. The workshop will be full of hands on, programming and fun.

    Presented By:
    Nikhil Mittal

  • Vehicle Networks Workshop

    Today’s vehicles have multiple control modules that are linked via various types of networks.  These networks have become pervasive and remain somewhat of an unknown in millions of vehicles on the road today.

    This workshop will:

    • Give basic information of the types of networks found in modern vehicles
    • Answer what these networks are intended to do
    • Answer how these networks are configured
    • Answer what types of control systems are found in vehicles
    • Answer how these controllers function
    • Answer how the network aids the controllers
    • Answer how the networks are used
    • Show how controller can be commanded
    • Show what types of security may be securing critical functions of the vehicle
    • Show how to setup a network on a bench
    • Show how to send and receive data packets with a simulated network
    • Discuss some of the possible exploits common to these networking systems
    • Discuss some of the counter measures put in place by automotive OEMs
    • And much more
    Presented By:
    Robert Leale